Table of Contents


In Active Directory Federation Services (AD FS), we support a WS-Federation passive sign-out request to the relying party security token service (RP-STS) which invokes a sign-out from each web application accessed during the current browser session. The identity provider security token service (IP-STS) is also included in the sign-out process. Note: The RP-STS and IP-STS is the same server in WebSSO scenarios where there is no federated partner.

Single-sign-on to the various web applications is maintained via session cookies in the browser, and the WS-Federation sign-out process will destroy these cookies so that the user will need to provide credentials for subsequent access to those applications.

WS-Federation sign-out URL:


You can optionally provide an additional query string parameter to land the user on a specific page once sign-out is complete.

Query string parameter to use for post-sign-out landing:


Full URL using the wreply parameter:


Cookies used for WS-Federation sign-out:

AD FS 1.0/1.1 - LSCleanup

AD FS 2.0 - MSISSignOut and MSISSignOutReply (if you use the reply parameter with the request)

When the user has an active session, each accessed resource and the IP-STS will have an entry in the sign-out cookie.

AD FS 2.0 example:

1. The user accessed the web application named ClaimApp:

2. The web application trusts the Trey Research RP-STS:

3. The user's home realm is Adatum, so we see the IP-STS:

*The RP-STS URL is not included in the cookie since the RP-STS already knows its own URL, and this is where the WS-Federation sign-out begins.

4. If you take a Fiddler trace during the WS-Federation sign-out, the cookie is base64-encoded, so you'll need to base64-decode its contents to get back to clear text.

Example of base64-encoded cookie:

MSISSignOut=c2lnbm91dDtodHRwczovL2FkZnMyYXN0cy5hZGF0dW0uY29....(cut off for page formatting purposes)

The decoded contents of the sign-out cookie during the active session is the following:


5. When the initial WS-Federation sign-out request is sent to the RP-STS, the RP-STS will first redirect to the IP-STS with a WS-Federation sign-out request. At this same time, the RP-STS sets the sign-out cookie to the user with a new value. The new value no longer contains the IP-STS URL.

The decoded contents of the sign-out cookie after the initial redirect to the IP-STS:


6. The IP-STS will perform its own WS-Federation sign-out, which will vary by product. If the IP-STS is AD FS 2.0, it will clear out the MSISSignOut cookie that it had originally written to the user.

7. The final step is a request back to the RP-STS: https://{DNS_name_of_RP_STS}/adfs/ls/?wa=wsignoutcleanup1.0

Upon receiving the wsignoutcleanup1.0 request, the RP-STS responds by clearing out the rest of the MSISSignout cookie. Once the sign-out cookie is empty, the user's session has been terminated and the user will either land on an AD FS sign-out page or be redirected to a URL if the wreply parameter was used during the initial sign-out request.

The empty sign-out cookie will look like this:

MSISSignOut=; expires=Tue, 01-Jun-2010 21:01:32 GMT; path=/adfs/ls

More Information

Detailed information on WS-Federation Sign-out:

Sections: 2.2, 3.4, 5.3